Get The Latest Insights

By The PhishLabs Team | January 24, 2020

Social BECSocial media account compromise is nothing new. If you haven’t had an account hacked in the past, most of us know someone who has. According to a study by the University of Phoenix, almost two-thirds of US adults have had at least one social media account hacked. Another report found that 53% of social media logins are fraudulent.

But what’s the big deal? Your account gets hacked, you eventually regain access (or just set up a new account), and… all’s well that ends well, right?

Account Takeover is a BIG Deal

When a social media account is taken over, it’s much more than an inconvenience. Not only can the attacker access private and potentially sensitive information, they also have the power to broadcast any message they like, either publicly or to a trusted contact. Naturally, this can have a devastating impact on the account’s real owner.

Organizations can have their reputation damaged, or have their customers targeted with malicious messages and malware. Individuals may have other accounts compromised, or be on the receiving end of blackmail.

In recent years, a huge number of organizations have been on the receiving end of social media account takeovers. High profile examples include the U.S. Central Command and Associated Press Twitter accounts – the latter of which led to a false report of explosions at the White House that claimed Barack Obama had been injured.

While that may seem funny to the anarchically minded, think about the disruption and alarm it must have caused around the US. And, as a direct result of the fake tweets published, the Dow Jones dropped almost an entire percent, no doubt costing real people and businesses a lot of money in the process.

What’s in it for the Attacker?

It turns out there’s a reason why threat actors spend so much time trying to take over social media accounts. A successful account takeover can help a threat actor or group achieve a variety of malicious objectives including distributing malware, spreading propaganda, and (for the unoriginal) making money.

Other malicious uses for compromised accounts include:

Perpetuating the attack: Compromised accounts are often used to conduct additional phishing campaigns. Messages containing malicious links are sent from the compromised account to all of its connections. These campaigns are often highly successful because many people treat messages from their connections as inherently safe. In the case of corporate social media accounts, these attacks are particularly damaging as they target the organization’s customers, potentially causing serious reputation damage.

Information gathering: Depending on the motivation of an attack, taking over a social media account may not be the endgame. Once an account is compromised, attackers can harvest all the information they like, giving them a huge supply of intelligence to inform future spear phishing campaigns against the target.

Reputation damage: Once they have control of an account, attackers can use it to do or say whatever they like. Attackers who are idealistic in nature, or have a grudge against their victim, often choose to damage the account owner’s reputation in the hopes of causing them embarrassment or financial hardship.

Blackmail: Although not the most common use of a compromised account, if highly sensitive or embarrassing materials are in the hands of an opportunistic cyber criminal, blackmail is a likely result.

Password reuse: Many people reuse the same login credentials (email and password) for multiple online services. So once attackers have successfully compromised an account, they routinely attempt logins at other popular websites using the same credentials to see what else they can access.

How Does Account Takeover Happen?

Threat actors have many tactics available to them to compromise social media accounts. Here are four of the most common account takeover routes:


Most people give away a lot more information about themselves than they really should. From maiden names and places of birth to favorite pets, children, and musicians, it’s extremely common for people to publicly share information that can be used to hurt them.

Think about how common password recovery processes work. In the distant past when you set up an account, you were asked to provide “secret questions and answers” that could be used to recover the account in the event that you forgot your password – things like where you were born, the names of your favorite pets, and your mother’s maiden name.

See the problem? For many people, this information (along with their primary email address) is readily available to any attacker who chooses to look for it. And once personal information is made available online, it’s almost impossible to get rid of it.

On a separate (but similar) note, all this information can be used for another malicious purpose: Spear phishing.

Friends, and Friends

Let’s be honest, most of us aren’t very discerning about who we add as friends on social media sites. Cyber criminals know this, so they often create legitimate-seeming accounts and send connection requests to as many people as possible. If a threat actor wants to be more convincing, they might create an account for a fake person who claims to have attended a particular school and use it to connect with people who really went to that school.

And what happens once somebody accepts that friend request? The threat actor either sends them a message with a malicious link or researches them and uses the information gathered to develop highly targeted phishing or social engineering campaigns.

Bad Passwords

This might surprise you to hear, but most passwords are still terrible. Yes, even in 2019. Even in this day and age, a lot of people still use passwords like “password” and “123456″.

With passwords that bad, it’s hardly surprising when their accounts are compromised.

Social Media Phishing

One of the most common tactics used to compromise a social media account is good ol’ fashioned phishing.

Typically, users will receive a message (either through social media DMs or email) that contains a malicious link, often accompanied by a simple message like:

“Hey, is this picture of you?!”

If they’re convinced to follow the link, it will take them to a very real-looking social media login page. From there, they enter their login credentials, and, depending on the sophistication of the attack, it either appears not to work or they are routed to the real social media site. Either way, the attacker now has that user’s login credentials.

Remember – Once an account is taken over, the attacker will often try to have the contact details associated with it changed quickly, in in order to control it for as long as possible.

Preventing Social Media Account Takeover

As damaging as account takeover can be for both individuals and organizations, they are avoidable.

To safeguard corporate accounts, particularly if they are accessed by multiple individuals, regular training is essential. Topics should include:

Digital hygiene: Teach users to choose better passwords, never reuse them across services, and never use a password rotation. Single sign-on, two-factor authentication, and password managers are all sensible additional security measures to take in this area.

Information sharing: Helping users to understand what they should and shouldn’t share through social media can go a long way to mitigating the threat of social spear phishing and abuse of password reset procedures.

Recognizing malicious communications: While some attacks are highly sophisticated, most can be spotted if users remain vigilant. Educating them on common attack types (and updating the training as attack vectors evolve) is an essential security measure.

Finally, for individuals, avoiding social media account takeover is primarily about taking sensible precautions, and being skeptical of online communications. In addition to the points mentioned above, we would all do well to remember two things:

1. No legitimate person will ever ask for your password

2. Anything that sounds too good to be true… isn’t true